Unsealed Court Docs Show FBI Used Malware Like ‘A Grenade’

In 2013, the FBI received permission to hack over 300 specific users of dark web email service TorMail. But now, after the warrants and their applications have finally been unsealed, experts say the agency illegally went further, and hacked perfectly legitimate users of the privacy-focused service.

“That is, while the warrant authorized hacking with a scalpel, the FBI delivered their malware to TorMail users with a grenade,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in an email.

The move comes after the ACLU pushed to unseal the case dockets in September. The Department of Justice recently decided to publish redacted versions of related documents.

In 2013, the FBI seized Freedom Hosting, a service that hosted dark web sites, including a large number of child pornography sites and the privacy-focused email service TorMail. The agency then went on to deploy a network investigative technique (NIT)—a piece of malware—designed to obtain the real IP address of those visiting Freedom Hosting sites. According to the new documents, the NIT was used against users of 23 separate websites.

Now, we do know that to be true: recently unsealed affidavits include a total of over 300 redacted TorMail accounts that the FBI wanted to target. All of these accounts were allegedly linked to child pornography-related crimes, according to court documents.

Importantly, the affidavits say that the NIT would only be used to “investigate any user who logs into any of the TARGET ACCOUNTS by entering a username and password.”

But, according to sources who used TorMail and previous reporting, the NIT was deployed before the TorMail login page was even displayed, raising the question of how the FBI could have possibly targeted specific accounts.

One former TorMail user previously told Motherboard that the malware—which was quickly discovered and ripped apart by researchers at the time—“appeared before you even logged in.” WIRED’s coverage from 2013 also suggested that anyone who visited TorMail was presented with an error page carrying the malware.

“The warrant that the FBI returned to the court makes no mention of the fact that the FBI ended their operation early because they were discovered by the security community, nor does it acknowledge that the government delivered their malware to innocent TorMail users. This strongly suggests that the FBI kept the court in the dark about the extent to which they botched the TorMail operation,” Soghoian added.

“What remains unclear is if the court was ever told that the FBI had exceeded the scope of the warrant, or whether the FBI agents who hacked innocent users were ever punished,” he continued.

Christopher Allen, a spokesperson for the FBI, told Motherboard in an email that, “As a matter of practice the FBI narrowly tailors warrants, and we do not exceed the scope of those warrants.”